Covered Entities Flirting with Fines for Late Data Breach Reports

Last month, the Department of Health and Human Services’ Office for Civil Rights sent a message to covered entities regarding the late reporting of data breaches with the announcement of a settlement with Chicago-based healthcare network Presense Health.

However, since the announcement was made, there have been a number of instances where covered entities have unnecessarily delayed the issuing of breach notification letters to patients and data breach reports to OCR.

The January Breach Barometer – released by Protenus yesterday – indicates 40% of data breaches reported in January 2017 had notifications sent outside of the timescale required by the Health Insurance Portability and Accountability Act’s Breach Notification Rule.

The loss, theft, or exposure of patients’ electronic protected health information potentially places them at an elevated risk of suffering identity theft and fraud. When data breaches are reported promptly, patients can take rapid action to protect their identities, secure their accounts, and mitigate risk. However, when breach notification letters are delayed unnecessarily patients face a higher risk of suffering financial losses since mitigations will not be in place.

Summary of the HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule was introduced to ensure that patients are made aware of any ePHI breach promptly. Any breach of unsecured protected health information requires individual notices to be sent to all affected patients by first class mail (or email if patients have elected to receive electronic communications) “in no case later than 60 days following the discovery of a breach.” However, breach notification letters should be sent without unreasonable delay.

Notification letters should include a summary of the nature of the breach, details of the information that was exposed or stolen, information about the steps that are being taken by the covered entity/business associate to prevent future data breaches, and steps that can be taken by the individual to protect themselves from potential harm. A toll-free number should also be provided to allow affected individuals to make contact for further information. That toll-free number must remain active for 90 days from the date of the notification letters.

Additionally, a substitute breach notice must be placed on a prominent part of the covered entity’s website notifying individuals of the breach if contact information is not held for 10 or more individuals, or if that contact information is out of date and incorrect.

A media notice must be issued if a breach affects more than 500 residents of a state or jurisdiction. That breach notice must be issued to a prominent media outlet serving the state or jurisdiction. The media notice must also be issued within 60 days of the discovery of the breach.

The Secretary of the Department of Health and Human Services must be notified of a breach of more than 500 individuals’ ePHI via the Office for Civil Rights’ breach reporting tool. That notification should be provided without unreasonable delay and no later than 60 days following the discovery of the breach. Notifications about smaller breaches – those impacting fewer than 500 individuals – can be made up until 60 days following the end of the calendar year when the breach was discovered. However, notifications to affected individuals must still be issued within 60 days of the discovery of the breach.

The Breach Notification Rule and Business Associate Data Breaches

The 60-day window for issuing breach notification letters applies to both covered entities and business associates of covered entities. In the case of the latter, the covered entity may delegate responsibility for the issuing of breach notification letters to its business associate.

Covered entities should consider whether the business associate is in the best position to issue breach notification letters before the responsibility is delegated.

Recently, a breach at a business associate of a covered entity saw the business entity issue breach notification letters to affected individuals. However, since the affected individuals were unaware that the business associate was contracted to their insurance provider, the letters caused some confusion. The letters provided the necessary information to allow patients to take steps to protect their identities, but with no mention of the covered entity, some patients thought the letters were some sort of scam.

While not stated in the Breach Notification Rule, it would be of benefit in such situations to include the name of the covered entity in the letters or for the covered entity – and not the business associate – to issue notifications to patients.

Penalties for Late Breach Notifications

Office for Civil Rights has shown that breach notification delays do warrant the issuing of financial penalties in certain situations, and the penalties can be severe. While Presense Health was only fined $475,000 for delaying the issuing of breach notification letters for one month, considerably higher fines are possible.

OCR is permitted to fine covered entities, or their business associates, a maximum of $1,500,000 for each violation of HIPAA Rules. The HIPAA violation penalties are determined based four categories of violations, with the penalties ranging from $100 per violation up to a maximum of $50,000 per violation.

Given the willingness of OCR to penalize covered entities for HIPAA Breach Notification Rule violations, covered entities should make sure that their data breach policies and procedures include the timescales for issuing breach notifications to patients/OCR, and to ensure that those notifications are issued within the allowed timeframe.

About HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. HIPAA Journal's goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII.